HomeInsightsTerms and Conditions for Online Store and Business

Terms and Conditions for Online Store and Business — Legal Requirements (2026)

Terms and conditions (T&Cs) are the legal foundation of every online business. They define the rights and obligations of the trader and the consumer, protect both parties and ensure legal certainty. This guide provides a detailed overview of the requirements of Bulgarian and European legislation, current as of 2026.

What are Terms & Conditions?

Terms and conditions are pre-formulated contractual clauses drafted by one party (usually the trader) that govern relations with an unlimited number of counterparts — consumers or business clients. Their legal basis in Bulgarian legislation is found in:

  • Obligations and Contracts Act, Art. 16 — the general regulation of T&Cs in civil law;
  • Commerce Act, Art. 298 — T&Cs in commercial transactions;
  • Consumer Protection Act (CPA) — special requirements for consumer contracts, including unfair terms control;
  • Electronic Commerce Act (ECA) — special requirements for the provision of information society services (online commerce).

Terms and conditions become binding on the other party when it has declared in writing (including electronically) that it accepts them. In the context of online commerce, this is accomplished through an active consent mechanism — ticking a checkbox that is not pre-filled.

When are Terms & Conditions mandatory?

Legislation expressly requires terms and conditions in the following cases:

  • Regulated activities — telecommunications, insurance, banking and other regulated sectors where sectoral laws mandatorily require T&Cs;
  • E-commerce — practically mandatory for distance B2C sales (consumer sales), as the ECA and CPA require the provision of extensive pre-contractual information, most effectively structured in T&Cs;
  • Regulated professions — lawyers, notaries, auditors, etc., where professional rules require prior regulation of service terms.

Even when not formally mandatory, T&Cs are strongly recommended for every business, as they ensure legal clarity, reduce the risk of disputes and increase customer confidence.

Ten Key Clauses of Terms & Conditions

Every well-drafted T&Cs document should contain the following key clauses:

  1. Trader identification (ECA, Art. 4)

    Full name, UIC, registered office and management address, contact details (email, telephone), VAT registration number (if applicable). See also our guide on company registration.

  2. Description of goods/services

    The main characteristics of the goods or services offered, including quality, quantity and functionality.

  3. Price inclusive of taxes

    Final price including VAT and all additional charges (delivery, packaging). The CPA requires the consumer to be informed of the total amount due before concluding the contract.

  4. Delivery terms

    Deadlines, delivery methods, territory, risk allocation during transport.

  5. Right of withdrawal — 14 days (CPA, Art. 50–56)

    In distance B2C sales, the consumer has the right to withdraw from the contract within 14 days without giving a reason. A standard withdrawal form must be provided. Exceptions exist (customised goods, perishable goods, unsealed software, etc.).

  6. Commercial warranty and statutory warranty (2 years)

    Under the European directive on the sale of goods, the consumer has the right to a 2-year statutory warranty for conformity of goods. It cannot be limited or excluded through T&Cs.

  7. Limitation of liability

    Clauses defining the limits of the trader's liability. These must be carefully drafted to avoid being classified as unfair.

  8. Intellectual property

    Rules regarding copyrights, trademarks and other intellectual property of the trader.

  9. Applicable law, disputes and ODR

    Determination of the applicable law and the method of dispute resolution. Providing a link to the European Online Dispute Resolution (ODR) platform is mandatory: ec.europa.eu/odr.

  10. Force majeure and amendment of T&Cs

    Force majeure clauses and rules for amending T&Cs. For consumer contracts, amendments require prior notice and the provision of a right to terminate the contract.

Consumer Protection

The Consumer Protection Act (CPA) sets strict requirements for T&Cs in B2C relations:

Unfair terms (Art. 143–148 CPA)

Clauses in T&Cs that have been pre-formulated by the trader and not individually negotiated are subject to unfairness control. A clause is unfair if it is to the detriment of the consumer, does not meet good faith requirements and causes a significant imbalance between the rights of the parties. Such clauses are VOID — they have no legal effect.

The CPA contains a "black list" of clauses that are always considered unfair — e.g. unilateral price changes, limiting the right to complain, shifting the burden of proof. The Consumer Protection Commission (CPC) actively monitors compliance.

Pre-contractual information (Art. 47 CPA)

Before concluding a distance contract, the trader must provide the consumer with extensive pre-contractual information, including: identification, main characteristics of the goods/services, final price, delivery terms, right of withdrawal with form, warranty, contract duration and termination conditions.

14-day withdrawal

The right of withdrawal within 14 days is mandatory — it cannot be excluded or limited through T&Cs. The exceptions are exhaustively listed in the law (Art. 57 CPA): customised goods, perishable goods, sealed audio/video recordings and software after unsealing, newspapers/periodicals, urgent repairs, etc.

E-Commerce (ECA)

The Electronic Commerce Act (ECA) sets additional requirements for online traders:

Mandatory information (Art. 4–6 ECA)

The information society service provider is required to provide in an easily accessible place on its website: name, UIC, registered office, contact details, VAT registration number, information about the supervisory authority (for regulated activities).

Concluding a contract online (Art. 7–11 ECA)

The online contract conclusion process must include:

  • Clear technical steps for concluding the contract;
  • Opportunity to review and correct the order before confirmation;
  • Confirmation of receipt of the order by electronic means;
  • Storage of the contract and provision of access to it for the consumer.

Commercial communications

Sending commercial communications (email marketing) requires prior consent (opt-in) from the recipient. Non-compliance may lead to fines from the CPC and CPDP.

NRA registration

Since 2020, every online store is required to register with the NRA before commencing operations, providing information on the website, software and payment methods.

GDPR Integration

Personal data protection is an integral part of the legal framework of every online business, but it must be properly structured:

  • The privacy policy is a SEPARATE document from T&Cs — although the practice of mixing them is widespread, this is legally incorrect. The privacy policy governs the processing of personal data pursuant to GDPR (Regulation 2016/679), the PDPA and the CPDP guidelines.
  • Cookie consent (ePrivacy) — obtaining informed consent for the use of cookies that are not strictly necessary for the functioning of the website is mandatory. Consent must be freely given, specific, informed and unambiguous.
  • Fines — GDPR violations may lead to fines of up to EUR 20 000 000 or 4 % of the undertaking's global annual turnover (whichever is higher).

NEW: GPSR — General Product Safety Regulation (from 3 February 2026)

With the transposition of Regulation (EU) 2023/988 on general product safety (GPSR), published in SG No. 13/2026, new obligations come into force that directly affect terms and conditions and online trade:

  • Online platforms and Safety Gate — online marketplaces are required to integrate the EU Safety Gate system for rapid notification of dangerous products. Traders must respond immediately upon a signal from the system.
  • Increased fines — sanctions for placing dangerous products on the market have been significantly increased, harmonised with European standards.
  • Representative actions — the possibility of collective (representative) actions by consumer organisations against traders violating safety requirements has been introduced.
  • Obligations for online traders — every online trader offering products on the European market must provide full safety information, including warnings, instructions for use and manufacturer data.

Online store T&Cs should be updated in light of the new GPSR requirements, including product recall procedures and consumer notification.

Ten Most Common Mistakes in Terms & Conditions

In reviewing hundreds of T&Cs of Bulgarian online stores and businesses, the following mistakes are most commonly encountered:

  1. Copy-paste from other T&Cs — copying terms and conditions from another website (often foreign) without adapting them to Bulgarian legislation and the specifics of the particular business.
  2. Hiding the 14-day right of withdrawal — failure to disclose or intentionally obstructing the exercise of the withdrawal right. This is not only a violation but also extends the withdrawal period to 12 months.
  3. Unilateral amendment without exit right — a clause allowing the trader to unilaterally amend the T&Cs without providing the consumer with the right to terminate the contract. This is an unfair clause.
  4. Mixing T&Cs with the Privacy Policy — the two documents have different legal bases and purposes. Mixing them confuses the consumer and may lead to GDPR violations.
  5. Lack of active consent — a pre-ticked checkbox or lack of a mechanism for express acceptance of T&Cs. Consent must be an active action by the consumer.
  6. Lack of pre-contractual information — failure to comply with the obligations under Art. 47 CPA to provide full information before concluding the distance contract.
  7. Limiting the 2-year statutory warranty — an attempt to shorten the statutory warranty period. This is a void clause — the warranty is mandatory.
  8. Unregistered online store with the NRA — since 2020, registration is mandatory. Its absence may lead to significant fines.
  9. Missing ODR link — providing a link to the European Online Dispute Resolution platform (ec.europa.eu/odr) is mandatory for EU consumers.
  10. Improper cookie consent — automatic loading of tracking cookies without prior consent, lack of an option to refuse or deceptive banner design.

Frequently asked questions

Can I use a T&Cs template from the internet?
Technically you can, but this is highly inadvisable. Templates rarely reflect the specifics of your business and Bulgarian legislation. Copying T&Cs from another website may lead to the inclusion of inapplicable clauses, omission of mandatory elements and even copyright infringement. We recommend that T&Cs be drafted or at least reviewed by a lawyer specialising in e-commerce and consumer protection.
Am I required to provide the right of withdrawal for all goods?
In distance B2C sales, the right to a 14-day withdrawal is the general rule. However, there are exceptions expressly provided for by law (Art. 57 CPA): goods made to the consumer's individual specifications; goods with a short shelf life; sealed audio or video recordings and software after unsealing; newspapers and periodicals; contracts for accommodation, transport, catering or leisure activities for a specific date. If your goods do not fall within the exceptions, the right of withdrawal is mandatory.
What are the sanctions for missing T&Cs or unfair terms?
The Consumer Protection Commission (CPC) may impose fines for violations of the CPA and ECA — from EUR 500 to EUR 25,000 depending on the violation and recurrence. Unfair clauses are void — they have no legal effect and are not binding on the consumer. Additionally, GDPR violations may result in fines of up to EUR 20,000,000 or 4 % of annual turnover. With the GPSR from 3 February 2026, representative actions have been introduced, allowing consumer organisations to bring collective claims.

Need assistance?

The Innovires team can draft or review your terms and conditions, privacy policy and cookie policy in full compliance with the CPA, ECA, GDPR and GPSR.